How to Fix WordPress Security Holes for a Safer Shopping Experience

May 27, 2014

When setting up an e-commerce site on WordPress, security needs to be your number one priority. Any time you’re dealing with people’s personal information or financial data, you have to be doubly careful. Failing to show you’re a trustworthy vendor via recognizable security logos and such could lose you customers. But failing to account for security could result in a much worse outcome: theft and data loss.

This is the e-commerce site owner’s worst nightmare. Thankfully, you don’t have to let this happen to you. Here, I’ll discuss some of the most common security issues that WordPress-based e-commerce sites face and walk you through the steps you need to take to plug those security holes for once and for all.

Step 1: SSL

When working in the e-commerce space, one thing you absolutely cannot compromise on is SSL. That’s Secure Sockets Layer for the uninitiated and protects sensitive information (both yours and your customers’) while it’s being transmitted for processing. A good way to ensure payments on your site are secure is to use a popular system like PayPal. This keeps all of the financial info off of your site and in the hands of a company that specializes in protecting transactions like this.

Alternatively, you can install a plugin like WordPress HTTPS (SSL) to add security directly onto your site. This plugin can be used to encrypt specific pages and includes a secure admin panel for easy maintenance. What you decide to use will ultimately depend on what you want to accomplish with your site in the end.

Step 2: Use a Ready-Made Platform

One way to ramp up site security is to use a ready-built e-commerce platform. This eliminates the guesswork in terms of what you should and shouldn’t include and makes it a lot easier to get started. There are several platforms out there like WooCommerce, Shopify, and others. So, do your research to find an e-commerce platform that will appropriately suit your needs.

If you decide to just use a WordPress theme instead, it’s best to only use those that you find in the WordPress directory or on reputable theme websites. Low-quality themes often lack the appropriate security measures, which put your site and your customers’ information at risk.

Step 3: Modify .htaccess

Another way to remedy potential WordPress security issues is to modify the .htaccess file. A lot of site attacks are performed on the database that supports the platform. If the database is attacked, it won’t be able to run the PHP scripts that make your site function.

SQL injection is one way hackers infiltrate your site. They do this by putting their own commands within a URL in your database. These commands can force the database to output information about your site, including login information. Variations on this hacking method can cause specific PHP scripts to run that install malware on your site. Basically, all of this is bad news for someone trying to run a secure site that their customers can feel confident using.

Thankfully, you can remedy this by modifying the .htaccess file in your WordPress site’s files. There’s an excellent breakdown of what rules you can add to .htaccess at eSecurity Planet, including complete code snippets you can place in the file to beef up site security. Once these rules are in place, you can prevent certain people from accessing your site, including specific IP addresses as well as specific URL requests.

You can also limit what files people can see. These commands can also be added to .htaccess and allow you to block any old person from accessing the private files on your server. You can typically accomplish this by blocking directory listings access. There’s no need for site visitors to see a list of all the files on our site, so blocking access will prevent malicious users from mounting an attack using that information.

Step 4: Skip the Admin

Another thing you definitely want to do when setting up your e-commerce WordPress site is make sure your username and password are comprised of a combination of letters, numbers, and characters. You should never keep your username as the default “admin.” This is what hackers “guess” as the username the most often when mounting brute-force attacks (see below). And you definitely don’t want to make the hackers’ lives easier. So make your username and password complicated.

You might also wish to install two-step authentication on your site. Something like Clef might do the trick.

Step 5: Limit Login Attempts

As I mentioned above, people can gain access to your site through brute force attacks. These attacks are carried out by automated scripts that repeatedly try to login to your site over and over again. Since the scripts run thousands of times, odds are good that they will eventually be successful.

That is, unless you put a failsafe measure in place. One such failsafe is a login limiter. A login limiter is a tool that prevents specific IP addresses or usernames from logging in over a certain number of times within a specified time frame. A typical limit of 10 times in a couple of minutes will cause that user or IP to incur a timeout for an hour. Brute force attackers aren’t effective when faced with a login limiter because they can’t make the thousands or millions of login attempts necessary to be successful. They’ll often move on from your site then and seek out easier territory.

There are many login limiter plugins available but let me tell you about a few that I personally like. First, there’s iThemes Security, which is a robust plugin designed to protect your site from a wide variety of attacks. In fact, in includes over 30 ways to prevent site attacks, including obscurity tactics, login limiting, bot detection, and more.

And then there’s Limit Login Attempts, which prevents brute force attacks by allowing you to limit the number of times a person can attempt to login. It’s fully customizable, too and provides optional logging and email notifications when site lockouts occur.

There are other options, of course, but these are just two I’ve found to be reliable.

Conclusion

No matter what kind of site you run, it’s important to keep security in mind. But it’s even more important for those that run e-commerce sites. When you’re responsible for other people’s information, it’s vital that you do everything you can within your power to protect it. That might mean using a ready-made e-commerce platform or opting to have all transactions processed offsite through a secure service. Or, it might require manually going into your WordPress site’s files and adding some code to protect it from malicious attackers. And when making sure your username and password are up to snuff isn’t enough, you can even limit login attempts to prevent brute-force attacks.

All of these methods when used in conjunction can help to beef up your site’s security and make for a more safe shopping experience for your customers. Which is kind of the whole point, don’t you think?

Now over to you. What methods do you use to improve WordPress site security for online stores? What tools or plugins are must-haves for you? I’d love to hear all about it in the comments!

4 Comments

Thanks for mentioning iThemes Security Tom. One thing you forgot to mention though. Pay attention. So many sight owners ignore when something isn’t working right and it can really affect their customers.

limit-login-attempts, also use this tool and it’s great that the plugin still works with the latest version of WP. To bad that it hasn’t been updated for almost 2 years now. That could be a problem in the near future. Any alternative available?